| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1440
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1783
When dn in member attribute is invalid (e.g. rdn instead of dn)
or it is outside of configured search bases, we might hit a situation
when tevent_req is marked as done before any callback could be
attached on it.
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1581
If the namingContext attribute had no values or multiple values, then
our code would dereference a NULL pointer.
|
|
|
|
|
|
|
|
| |
Certain LDAP servers can return an empty string as the value of
namingContexts. We need to treat these as NULL so that we can fail
gracefully.
https://fedorahosted.org/sssd/ticket/1542
|
|
|
|
|
|
| |
Fixes
https://fedorahosted.org/sssd/ticket/1526
in the 1.8 branch
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The list of resolved servers is allocated on the back end context and
kept in the fo_service structure. However, a single request often
resolves a server and keeps a pointer until the end of a request and
only then gives feedback about the server based on the request result.
This presents a big race condition in case the SRV resolution is used.
When there are requests coming in in parallel, it is possible that an
incoming request will invalidate a server until another request that
holds a pointer to the original server is able to give a feedback.
This patch simply checks if a server is in the list of servers
maintained by a service before reading its status.
https://fedorahosted.org/sssd/ticket/1364
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1515
|
|
|
|
|
| |
The attribute is supposed to contain number of days since the epoch, not
the number of seconds.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1452
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=846664
If the first group was cached when processing the nested group membership,
we would call tevent_req_done, effectivelly marking the whole nesting
level as done.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1271
|
|
|
|
|
|
| |
There was an issue when IPA provider didn't set PAM_SUCCESS when
successfully finished loading SELinux user maps. This lead to the map
not being read in the responder.
|
|
|
|
|
|
| |
structure
https://fedorahosted.org/sssd/ticket/1343
|
|
|
|
|
| |
* When it's actually a failure, then the callers will print
a message. Fine tune this.
|
|
|
|
|
|
|
|
|
|
|
| |
* When calling krb5_get_init_creds_keytab() with
krb5_get_init_creds_opt_set_canonicalize() the credential
principal can get updated.
* Create the cache file with the correct default credential.
* LDAP GSSAPI SASL would fail due to the mismatched credentials
before this patch.
https://bugzilla.redhat.com/show_bug.cgi?id=811518
|
|
|
|
|
|
|
|
|
| |
* Load the enctypes for the keys in the keytab and pass
them to krb5_get_init_creds_keytab().
* This fixes the problem where the server offers a enctype
that krb5 supports, but we don't have a key for in the keytab.
https://bugzilla.redhat.com/show_bug.cgi?id=811375
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
When the ldap child process is killed after a timeout, try the next KDC.
When none of the ldap child processes succeed, just abort the connection
because we wouldn't be able to authenticate to the LDAP server anyway.
https://fedorahosted.org/sssd/ticket/1324
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous version of the SSSD did not abort the async LDAP search
operation on errors. In cases where the request ended in progress, such
as when the paging was very strictly limited, the old versions at least
returned partial data.
This patch special-cases the LDAP_SIZELIMIT_EXCEEDED error to avoid a
user-visible regression.
https://fedorahosted.org/sssd/ticket/1322
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1320
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1258
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1307
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1249
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1282
|
|
|
|
|
|
|
|
|
| |
There were many places where we were printing (null) to the logs
because a NULL keytab name tells libkrb5 to use its configured
default instead of a particular path. This patch should clean up
all uses of this to print "default" in the logs.
https://fedorahosted.org/sssd/ticket/1288
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1270
|
|
|
|
| |
case-insensitive domains
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1260
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1274
|
|
|
|
|
|
|
|
|
|
| |
We were never freeing "result" if it was allocated by
ldap_result(). We were also not freeing "errmsg" if it was
allocated but ldap_parse_result() returned an error.
Also disambiguate error messages from ldap_parse_result() and
error messages from sss_ldap_get_diagnostic_msg() since they use
differing memory-management functions.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
If we can't reach the RootDSE, let's just proceed as if it's
unavailable with reasonable defaults. If we fail later on, that's
fine.
Fixes https://fedorahosted.org/sssd/ticket/1257
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1242
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1238
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1227
|
|
|
|
| |
We want to consume this in the IPA provider.
|
|
|
|
|
|
|
| |
Instead of keeping the number of parent groups in "state" and having to
reset the count when moving to another group on the same level, keep
track of the all groups on a particular level along with their parents
and parent count.
|
| |
|